Ion in the fire: three banks call in lawyers after hack

At least three banks are weighing their legal options over a cyber attack that has disrupted derivatives trading since the end of January, and drawn the scrutiny of regulators and law enforcement agencies around the world.

Ion Group, which supplies software used to process cleared derivatives trades, shut down access to some of its services on January 31 after hackers seized control of its servers. The outage affected 42 clients, forcing some to process trades manually and delay regulatory reporting.

Three banks are now looking into whether Ion breached its service-level agreement (SLA), which outlines performance expectations as well as remedies for falling short. One of those is taking legal advice around whether it can seek compensation from Ion, or even sever their contracts with the vendor altogether.

Anything longer than four days for databases to restore really is jaw-dropping

Consultant who has worked with Ion in the past

“This is a highly sensitive matter right now with armies of lawyers involved,” a risk manager at one global clearing bank tells Risk.net.

It’s not a uniform response. A risk manager at a fourth bank says their employer is not currently taking legal advice.

“There is nothing to indicate from our side that SLAs weren’t adhered to at this point in time, but we haven’t concluded either way,” they say.

Ion declined to comment.

The validity of any legal action would hinge on the specific terms that banks negotiated with Ion. “Each firm will have their own SLAs with Ion, including some who have additional security measures in place,” says the risk manager. While these can vary between clients, the contracts banks negotiate with critical vendors often spell out expectations for cyber security, data backups and disaster recovery.

“Regulators are increasingly expecting that degree of specificity and oversight over vendors,” says Michael Bahar, co-lead of the global cyber security and data privacy practice at law firm Eversheds Sutherland. “It’s not enough to just leave it to a negligence or reasonableness standard.”

Ion’s problems could invite more regulatory scrutiny of banks’ dealings with vendors. “This incident confirms why we require all regulated firms to have appropriate operational resilience plans in place, including for when third party providers are subject to outages or issues,” says a spokesperson for the UK Financial Conduct Authority, which is investigating the cyber attack.

As part of their response, banks are seeking to establish whether Ion practiced at least basic cyber security hygiene—such as insisting on multi-factor authentication (MFA) for employees and users—and had an appropriate data back-up strategy to recover from a cyber attack.

“There’s a clear line in the sand beginning to emerge as to what practices you’re expected to have, [and] one is having MFA,” says Oliver Tavakoli, chief technology officer at cyber security firm Vectra.

MFA makes it harder for unauthorized users to access systems and accounts using stolen credentials.

Another minimum expectation is adhering to the so-called 3-2-1 backup strategy of maintaining three copies of data, with two stored locally on different systems, and one off-site.

A consultant who has worked with Ion in the past says the extended service outage raises questions about the company’s data backup policy: “Anything longer than four days for databases to restore really is jaw-dropping.”

Simply establishing that Ion breached its SLA may not be enough to recover meaningful damages, however. A source at a US clearing firm is skeptical the legal maneuvers will yield much in the way of compensation. SLAs generally cap the amount of damages that can be claimed for breaches, except in the case of gross negligence or wilful misconduct, and Ion has “air-tight contracts”, this person says.

SLAs with large technology vendors typically limit compensation to fees paid during the course of the outage, or at most the value of the contract. “Any damages would usually be capped, for example, at 12 months of fees previously paid,” says Nathaniel Lalone, a partner at law firm Katten Muchin Rosenman.

Compensation may not be the only remedy banks have in mind. If there was a significant violation of the SLA, then Bahar at Eversheds says banks could claim breach of contract and escape their agreements with Ion, or use it as leverage to renegotiate existing terms.

“If you have a very specific list of appropriate technical and organizational measures [in the SLA], and if one of those wasn’t actually in place—if the vendor said they have multi-factor authentication and they didn’t—it would actually be a violation of the contract,” Bahar says.

Banks have long complained about Ion’s multi-year contracts and its use of punitive break fees and hardball negotiating tactics to prevent them switching suppliers.

“Trying to cancel your contract is almost impossible,” says the source at the third bank, which intends to sever its ties with Ion in the wake of the cyber attack.

Katten’s Lalone says Ion may still have the whip hand even if banks can establish breach of contract. “Normally, you wouldn’t necessarily go directly to breach because, frankly, the financial firm needs the service provider. They’re not always easily replaceable,” he says. “I would think the banks would be looking for financial compensation rather than simply exiting the agreement, because Ion is too important to too many banks.”

Additional reporting by Philip Alexander and Anthony Malakian